Google's change to Chrome's login has ignited debate about whether the move was sneaky

Techies took to message boards, Twitter and their own blogs to debate whether changes Google made to the way people login to Chrome is a privacy threat.

Google quietly tucked a new feature into the latest Chrome update that automatically logs in users.

For many years, Chrome allowed users to surf the web via the browser without signing in. Now, if user sign into any of Google’s properties, they are signed in to Chrome.

Up until Matt Green wrote about the new login requirements, Google had said nothing about it. The company confirmed the change late Sunday night.

Google’s surprise change to a privacy setting in Chrome, the web’s No. 1 browser, is raising hackles from privacy advocates and some users of the product who say that the company has not been upfront enough.

The change, which was little noticed until a security researcher blogged about it on Sunday night, has left the internet company fighting a familiar criticism: that its appetite for data to fuel its online ad business trumps its concerns about its users.

Matthew Green, a security and cryptography researcher from Johns Hopkins University blogged about the change Google quietly made as part of the browser’s latest update, Chrome 69. Green wrote that from now on, when people login in to YouTube, Gmail or any of the company’s properties, they will automatically be logged in to Chrome at the same time.

Late on Sunday night, Google responded to the growing controversy by confirming the login change.

This is dramatic change and a possible threat to users’ privacy, according to Green.

“Google believes they can make these changes without consequence,” said Marc Rotenberg, the president of consumer privacy advocacy group EPIC. “The privacy model is simply broken. Companies are constantly changing the rules of the game.”

For years, Google allowed users of its Chrome browser to surf the web without logging in through a personal Google account. Chrome users didn’t have to worry that their web browsing history would be included with the other personal data Google maintains about registered users of its products. For that to happen, a user would have to sign in to Chrome and to consent to a “data sync” between Chrome and the other Google products they use.

What’s all the fuss about?

Now that Google logs people in to Chrome automatically, managers have removed one of those steps of protection, Green wrote. What’s more, he said, a new and “confusing” sync-consent page, makes it easy for users to mistakenly give up their browsing data to Google.

Eric Lawrence, a former Google employee who worked on Chrome but is now employed by rival Microsoft, said he doesn’t see any reason to be alarmed.

“Yes, Chrome has streamlined the opt-in to the browser’s “Sync” features, such that you no longer need to individually type your username and password when enabling Sync,” Lawrence wrote. “Whether you consider this “Great!” or “Terrible!” is a matter of perception and threat model.”

Lawrence points out that when someone clicks the consent button, they will then get a pop-up that informs them of the information they are agreeing to share with Google.

In that prompt, Google notifies users that the company will collect info from users’ “bookmarks, passwords, history and more on all your devices…Google may use content on sites you visit, plus browser activity and interactions to personalise Chrome and other Google services like Translate, Search and ads.”

Chrome owns more than 50 per cent of the browser market, followed by Mozilla’s FireFox (11%), Microsoft’s Internet Explorer (6.8%), and Apple’s Safari (5.1%).

‘My heart skips a beat’

Plenty of people wrote that they don’t see this as a benign change, including former Googlers. Michał Zalewski, is a computer security expert and former Google employee. He sided with Green that Google has made Chrome less safe.

“Don’t like to pile on,” Zalewski wrote on Twitter, “but I did rely on that as a visual confirmation that the browser is not doing something I didn’t want. Now, my heart skips a beat every time I see the profile-switch menu or chrome://settings – and it’d only take one mis-click to actually start syncing.”

Jon von Tetzchner, cofounder and CEO of Vivaldi Technologies and the Vivaldi browser, a rival to Chrome. He is also a frequent critic of Facebook and Google’s privacy practices. In an interview with Business Insider, von Tetzchner said that it’s disturbing Google has combined the logins for its properties. He said the upcoming Vivaldi version 2.0 requires users to sign in and go through a separate process before syncing data and he doesn’t believe the login procedures Google has adopted are common practice across the browser business.

“My impression is that Google and Facebook are unique,” he said. “They recognise where you’ve been and what you’ve done, online and off. They are gradually collecting more and more information about you.”

Green told Business Insider on Monday that when it comes to the browser market as a whole, Google’s new login requirements makes them an outlier. Green said that when it comes to the other browsers, “for the most part, if you’re not signed in, you’re not going to have your info uploaded anywhere.”

In tweets from Google, the company said that it made the change because of confusion caused when two Chrome users were using the same computer. Their browser data was often getting mixed up. Green outlined his scepticism about this in his blog post.

“Google’s reputation is hard-earned, and it can be easily lost,” Green wrote. “Changes like this burn a lot of trust with users. If the change is solving an absolutely critical problem for users, then maybe a loss of trust is worth it. I wish Google could convince me that was the case.”